在Java应用程序和MySQL实例之间启用SSL连接时遇到问题

Trouble enabling the SSL connection between a Java application and a MySQL instance

提问人:buggrinder 提问时间:10/23/2023 更新时间:10/23/2023 访问量:58

问:

我在 Java 应用程序和 MySQL 实例之间启用 SSL/TLS 连接时遇到问题。

我的 Java 应用程序的日志中出现以下警告消息:

WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.

初始情况:

我的 MySQL 数据库托管在 AWS RDS 上。在 AWS 控制台中,数据库的证书颁发机构列为“rds-ca-2019”。根据 AWS 文档,此证书颁发机构提供区域和全球证书捆绑包中包含的证书。我使用了 .pem 格式的相应区域捆绑包和 .pem 格式的相应全局捆绑包。该应用程序在 Java 17 上运行,并使用 jdbc URL 建立连接。MySQL版本为5.7.42。

尝试 1:

我像这样构建了jdbc URL:

jdbc:mysql://<dns_name>:3306/<db_name>?zeroDateTimeBehavior=convertToNull&amp;autoReconnect=true&amp;useUnicode=yes&amp;characterEncoding=UTF-8&amp;useSSL=true&amp;sslMode=VERIFY_IDENTITY&amp;trustCertificateKeyStoreUrl=file%3A%2Fetc%2Fssl%2Fcerts

作为 trustCertificateKeyStoreUrl,我在 Debian 系统中使用了证书的默认文件夹。在那里,我放置了刚才提到的捆绑包,并将 chmod 的权限设置为 644。/etc/ssl/certs

尝试 2

我使用 keytool 创建了自己的 truststore.jks,并使用 keytool 导入了两个官方 AWS 证书捆绑包,并调整了 jdbc URL:

jdbc:mysql://<dns_name>:3306/<db_name>?zeroDateTimeBehavior=convertToNull&autoReconnect=true&useUnicode=yes&characterEncoding=UTF-8&useSSL=true&sslMode=VERIFY_IDENTITY&trustCertificateKeyStoreUrl=file%3A%2Fetc%2Fssl%2Fcerts%2Ftruststore.jks&trustCertificateKeyStorePassword=<my_pass>

不幸的是,这也不能解决问题,我仍然收到警告。

尝试 3:

我发现 Java 有一个默认的信任库,如果你没有在 jdbc URL 中指定一个信任库,显然会使用它。它在 下作为符号链接链接。在那里,我再次使用 keytool 导入了区域和全球证书包。仍然有警告消息....../usr/lib/jvm/temurin-17-jdk-amd64/lib/security/cacerts/etc/ssl/certs/adoptium/cacerts

尝试 4:

我在运行 .jar 时启用了 SSL 调试日志,但日志对我没有帮助:

javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.371 CEST|SSLCipher.java:466|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = ...
javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.381 CEST|SSLCipher.java:466|jdk.tls.keyLimits:  entry =  ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = ...
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.654 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.655 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.656 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.657 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.657 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.658 CEST|X509Authentication.java:249|No X.509 cert selected for DSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.658 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.659 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.659 CEST|X509Authentication.java:249|No X.509 cert selected for DSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.660 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.660 CEST|X509Authentication.java:249|No X.509 cert selected for RSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.661 CEST|X509Authentication.java:249|No X.509 cert selected for DSA
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.661 CEST|X509Authentication.java:249|No X.509 cert selected for EC
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.810 CEST|SSLSocketImpl.java:1334|Closing output stream
javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.811 CEST|SSLSocketImpl.java:577|duplex close of SSLSocket
javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.812 CEST|SSLSocketImpl.java:1759|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.813 CEST|SSLSocketImpl.java:1785|close the SSL connection (initiative)
javax.net.ssl|DEBUG|10|main|2023-10-18 14:12:55.813 CEST|SSLSocketImpl.java:837|close inbound of SSLSocket
javax.net.ssl|WARNING|10|main|2023-10-18 14:12:55.816 CEST|SSLSocketImpl.java:595|SSLSocket duplex close failed. Debug info only. Exception details: (
"throwable" : {
  java.net.SocketException: Socket is closed
        at java.base/java.net.Socket.shutdownInput(Socket.java:1601)
        at java.base/sun.security.ssl.BaseSSLSocketImpl.shutdownInput(BaseSSLSocketImpl.java:219)
        at java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:853)
        at java.base/sun.security.ssl.SSLSocketImpl.bruteForceCloseInput(SSLSocketImpl.java:802)
        at java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:664)
        at java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:584)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.close(SSLSocketImpl.java:1338)
        at java.base/java.io.FilterOutputStream.close(FilterOutputStream.java:188)
        at org.postgresql.core.PGStream.close(PGStream.java:738)
        at org.postgresql.core.QueryExecutorBase.close(QueryExecutorBase.java:156)
        at org.postgresql.jdbc.PgConnection.close(PgConnection.java:749)
        at com.dtad.dtad_content_indexer.Indexer.initGeoMapper(Indexer.java:130)
        at com.dtad.dtad_content_indexer.Indexer.<init>(Indexer.java:48)
        at com.dtad.dtad_content_indexer.Indexer.main(Indexer.java:56)}

)
javax.net.ssl|ALL|10|main|2023-10-18 14:12:55.817 CEST|SSLSocketImpl.java:1139|Closing input stream

我希望有人能帮我解决这个问题,因为我已经做了几次尝试都没有成功。我也不完全确定该问题是否与信任库有关,或者是否由其他原因引起。

提前致谢!

java mysql ssl jdbc amazon-rds

评论

答: 暂无答案

上一个:无法从 Java 连接到 MySQL:MySQL 驱动程序连接逻辑中的 NullPointerException

下一个:mysql-connector 没有找到 com.mysql.cj.jdbc.Driver?[复制]